US11563745B2ActiveUtilityA1

Method for data protection in a data processing cluster with policy-based partition

48
Assignee: BAIDU USA LLCPriority: Jun 12, 2020Filed: Jun 12, 2020Granted: Jan 24, 2023
Est. expiryJun 12, 2040(~13.9 yrs left)· nominal 20-yr term from priority
H04L 63/104H04L 41/0893G06N 20/00H04L 63/20H04L 63/10G06F 15/177
48
PatentIndex Score
0
Cited by
25
References
20
Claims

Abstract

Systems and methods are disclosed for data protection in a cluster of data processing accelerators (DPAs) using a policy that partitions the DPAs into one or more group of DPAs in the cluster. A host device instructs the DPAs to organize themselves into non-overlapping groups according to a policy for each DPA in the cluster. The policy indicates, for each DPA, one or more other DPAs the DPA is to establish a communication link with, to implement the grouping. Once grouped, the host device and a DPA can access all resources of the DPA. DPAs in the same group as a first DPA can access non-secure resources, but not secure resources, of the first DPA. DPAs in a different group from the first DPA cannot access any resources of the first DPA. A scheduler in the host device can allocate processing tasks to any group in the cluster.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method of configuring a cluster comprising a plurality of data processing accelerators (DPAs), the method comprising:
 receiving, by the plurality of DPAs, a configuration policy common to the plurality of DPAs, wherein the configuration policy describes making or breaking one or more communication paths for the plurality of DPAs; 
 configuring, by each of the plurality of DPAs itself, one or more connections with other DPAs in the plurality of DPAs, according at least a portion of the common configuration policy, wherein at least two of the plurality of DPAs configure themselves differently according to the common configuration policy, and wherein configuring the one or more connections comprises making, or breaking, a communication path between one of the plurality of DPAs and at least another one of the plurality of DPAs in the cluster described in the configuration policy; and 
 performing a processing task received by one or more of the plurality of DPAs in a first group of DPAs, wherein the first group of DPAs is one of a plurality of groups formed from the plurality of DPAs based on the common configuration policy. 
 
     
     
       2. The method of  claim 1 , wherein, before the configuring, by default:
 each DPA in the plurality of DPAs has at least one communication path to each of the other DPAs in the plurality of DPAs. 
 
     
     
       3. The method of  claim 1 , wherein before and after the configuring:
 a host system coupled to the plurality of DPAs has a communication path to each DPA in the plurality of DPAs and the host system has access to both secure resources and non-secure resources of each DPA in the plurality of DPAs. 
 
     
     
       4. The method of  claim 1 , wherein, after the configuring:
 a DPA in the plurality of DPAs, and one of the other DPAs in the plurality of DPAs can communicate with each other only if the configuration policy requires that both the DPA and the one of the other DPAs establish a communication path to each other. 
 
     
     
       5. The method of  claim 1 , wherein the configuration policy specifies that the plurality of DPAs be divided into at least two non-overlapping groups of DPAs. 
     
     
       6. The method of  claim 5 , wherein:
 each DPA in the first group of DPAs can access non-secure resources of each other DPA in the first group of DPAs. 
 
     
     
       7. The method of  claim 5 , wherein:
 no DPA in the first group of DPAs can communicate with a DPA in the second group of DPAs, and no DPA in the second group of DPAs can communicate with a DPA in the first group; and 
 no DPA in the first group can access resources of a DPA in the second group, and no DPA in the second group can access resources of a DPA in the first group. 
 
     
     
       8. The method of  claim 5 , wherein the first group is configured for use by a first application or a first user. 
     
     
       9. A data processing accelerator (DPA) comprising at least one hardware processor, the DPA comprising:
 a resource manager to receive a common configuration policy shared with a plurality of DPAs of a cluster, wherein the DPA is one of the plurality of DPAs, and to configure, by the DPA itself, one or more connections between the DPA and other DPAs in the plurality of DPAs, according to at least a portion of the common configuration policy, wherein the configuration policy describes making or breaking one or more communication paths for the plurality of DPAs, and wherein the PDA configures itself differently than at least another one of the plurality of DPAs according to the common configuration policy, and wherein to configure the one or more connections comprises making, or breaking, a communication path between one of the plurality of DPAs and at least another one of the plurality of DPAs in the cluster described in the configuration policy; and 
 processing logic to perform a processing task received by the DPA in a first group of DPAs, wherein the first group of DPAs is one of a plurality of groups formed from the plurality of DPAs based on the common configuration policy. 
 
     
     
       10. The DPA of  claim 9 , wherein, before the configuring:
 each DPA in the plurality of DPAs has at least one communication path to each of the other DPAs in the plurality of DPAs. 
 
     
     
       11. The DPA of  claim 9 , wherein before and after the configuring:
 a host system coupled to the plurality of DPAs has a communication path to each DPA in the plurality of DPAs and the host system has access to both secure resources and non-secure resources of each DPA in the plurality of DPAs. 
 
     
     
       12. The DPA of  claim 9 , wherein, after the configuring:
 a DPA in the plurality of DPAs, and one of the other DPAs in the plurality of DPAs, can communicate with each other only if the configuration policy requires that both the DPA and the one of the other DPAs establish a communication path to each other. 
 
     
     
       13. The DPA of  claim 9 , wherein the configuration policy specifies that the plurality of DPAs be divided into at least two non-overlapping groups of DPAs. 
     
     
       14. The DPA of  claim 13 , wherein:
 each DPA in a first group of DPAs can communicate with each other DPA in the first group of DPAs, and 
 each DPA in the first group of DPAs can access non-secure resources of each other DPA in the first group of DPAs. 
 
     
     
       15. The DPA of  claim 13 , wherein:
 no DPA in the first group of DPAs can communicate with a DPA in the second group of DPAs, and no DPA in the second group of DPAs can communicate with a DPA in the first group; and 
 no DPA in the first group can access resources of a DPA in the second group, and no DPA in the second group can access resources of a DPA in the first group. 
 
     
     
       16. The DPA of  claim 13 , wherein the first group is configured for use by a first application or a first user. 
     
     
       17. A system comprising at least one hardware processor coupled to a memory programmed with executable instructions that, when executed by the at least one hardware processor, perform operations using a cluster comprising a plurality of data processing accelerators (DPAs), the operations comprising:
 receiving, by the plurality of DPAs, a configuration policy common to the plurality of DPAs, wherein the configuration policy describes making or breaking one or more communication paths for the plurality of DPAs; 
 configuring, by each of the plurality of DPAs itself, one or more connections with other DPAs in the plurality of DPAs, according at least a portion of the common configuration policy, wherein at least two of the plurality of DPAs configure themselves differently according to the common configuration policy, and wherein configuring the one or more connections comprises making, or breaking, a communication path between one of the plurality of DPAs and at least another one of the plurality of DPAs in the cluster described in the configuration policy; and 
 performing a processing task using one or more DPAs in a first group of DPAs, wherein the first group of DPAs is one of a plurality of groups formed from the plurality of DPAs based on the common configuration policy. 
 
     
     
       18. The system of  claim 17 , wherein, before the configuring:
 each DPA in the plurality of DPAs has at least one communication path to each of the other DPAs in the plurality of DPAs. 
 
     
     
       19. The system of  claim 17 , wherein before and after the configuring:
 a host system coupled to the plurality of DPAs has a communication path to each DPA in the plurality of DPAs and the host system has access to both secure resources and non-secure resources of each DPA in the plurality of DPAs. 
 
     
     
       20. The system of  claim 17 , wherein, after the configuring:
 a DPA in the plurality of DPAs, and one of the other DPAs in the plurality of DPAs, can communicate with each other only if the configuration policy requires that both the DPA and the one of the other DPAs establish a communication path to each other.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.